News

Caribou Coffee reports security breach

December 21, 2018

Caribou Coffee President John Butcher reported today on the chain's website that it has fallen victim to a security breach. Customers who visited any company-owned Caribou locations between Aug. 28 and Dec. 3 may be at risk. 

"There is a possibility that your name and credit card information, including card number, expiration date and card security code may have been accessed as a result of this unauthorized activity," Butcher wrote in an open letter. 

On Nov. 28, 2018, the chain identified unusual activity on its network through its information security monitoring processes, Butcher said. Upon identifying this issue, it began working with Mandiant, a cyber security firm, to understand the scope of the incident and determine whether there had been any unauthorized access. On Nov. 30, Mandiant reported that it had detected unauthorized access to the point-of-sale systems, exposing some customers' data. 

"Mandiant worked with us to contain the breach and ensure that the unauthorized access was stopped immediately," Butcher said. "At this time, we are confident that the breach has been contained."

Payments made through any Caribou Coffee Perks account or other loyalty account were not affected, nor were catering orders placed online with Bruegger's Bagels, Einstein Bros. Bagels, Manhattan Bagel and Noah's NY Bagels, which are owned by Caribou Coffee.

"We are using Mandiant because of its expertise in data forensics and data security matters to conduct an investigation," Butcher said. "We also have contacted and are in close coordination with the F.B.I. and are cooperating with its ongoing review."

Butcher said the chain is closely monitoring is systems, data and account access and are making the necessary changes to strengthen its network against any future attacks.

"We also are in regular communication with the credit card companies and will provide them with the information necessary to notify the banks that may have issued the affected payment cards,” he said.

Taking action
To determine whether they were affected by the security breach, customers may review the list of potentially affected locations on the company's website and review their credit and debit card statements for any unauthorized charges. 

"We sincerely apologize that this breach occurred and assure you that our team is working to help prevent data security issues from occurring in the future," Butcher said. "The privacy and security of your information is very important to us and we remain committed to doing everything we can to maintain the confidentiality of your information. We appreciate your patience and loyalty as a customer."

The Minnesota-based chain has more than 500 units across the globe.